Transcription
Tornado for DO-178BCOTS software for certifiable applicationsWilliam Boyer-Vidal (Account Manager)Olivier Charrier(Field Application windriver.com
17-Apr-02 2001 Wind River Systems, Inc.2
17-Apr-02 2001 Wind River Systems, Inc.3
17-Apr-02 2001 Wind River Systems, Inc.4
17-Apr-02 2001 Wind River Systems, Inc.5
Industry Paid - CertificationBoeing Build PlaneBoeing spend for certificationRequest type certificateFAA rejectscertificationFAA audit17-Apr-02 2001 Wind River Systems, Inc.Plane can fly6
Software Components of a SystemSystemAda, C, CodeTarget SystemOperatingSystemUser CodeVxWorks/CertSystem cannot be certified unlessVxWorks is verified17-Apr-02 2001 Wind River Systems, Inc.7
The COTS Advantage Shortertime to market Increased productivity through leading tools More engineers familiar with products Support not in-house function Allowsyou to concentrate on your value component – applicationdevelopment Widespread adoption leads to: Reduced costs Increased robustness Longer time-in-market17-Apr-02 2001 Wind River Systems, Inc.8
Avionics COTS DO-178B Glossary Entry:Commercial off the shelf (COTS) software – Commercially availableapplications sold by vendors through public catalog listings. COTS softwareis not intended to be customized or enhanced. Contract-negotiatedsoftware developed for a specific application is not COTS software.”17-Apr-02 2001 Wind River Systems, Inc.9
Avionics COTS Problem? Stillhave to comply with DO-178B objectives But, generally: Certification material not available Prohibitive development costs Stifle innovation Options: Buy source code, develop certification material Buy consultancy services from vendor17-Apr-02 2001 Wind River Systems, Inc.10
‘Service-based’ Certification Drawbacks: True cost hidden Feature set not guaranteed Support Ownership of certification material unclear17-Apr-02 2001 Wind River Systems, Inc.11
Wind River’s Solution Atrue DO-178B COTS product, including: Certifiable multitasking RTOS Leading development tools Supporting DO-178B certification materialDO-178B Level Asoftware development Out-ofthe-Box17-Apr-02 2001 Wind River Systems, Inc.12
Wind River DO-178B expertise October 1999: Joseph Wlad (WindRiver) in charge. 16 years of avionics design, development, test and evaluation including: Douglas Aircraft Company, MD-11 Test and Certification United Airlines B747 Fleet engineering and modification Trimble Navigation Engineering Manager (development and FAA approval of GPS sensors) Wind River OS certification Manager 3 engineers to support testing and release of our product FAA DER: Systems and Equipment and Software, Long Beach ACO17-Apr-02 2001 Wind River Systems, Inc.13
17-Apr-02 2001 Wind River Systems, Inc.14
Definition of the Certifiable VxWorks Objective: definition of a true subset of the VxWorks API that maybe certified and its rationaleGuidelines:FAA guidelines to Level A objectives as defined by DO-178BRequirements from RTCA/SC-182 (ACR MOPS) and ARINC 653API of the subset to remain consistent with VxWorksElimination of function compromising predictability and leading to memoryfragmentation Elimination of function compromising a safety-critical application Approach: examination of the source code and architecture,multiple analysis pass17-Apr-02 2001 Wind River Systems, Inc.15
Definition of the Certifiable VxWorks Start with examination of the source code and architecture determine functions which are predictable and certifiable eliminate unnecessary functionality and any features that may compromise a safety-criticalapplication Define a true subset of VxWorks that may be certified removed: network protocol support and file systems shared memory for multiple processors Object-oriented features: Dynamic links, other C features Debug facilities, BSPs, and various tools Dynamic allocation and de-allocation of memory17-Apr-02 2001 Wind River Systems, Inc.16
Definition of the Certifiable VxWorks Create a subset definition and rationale results in a scaled-down version of VxWorks 15K SLOC Create Software Hazard Analysis Identifies potential failure conditions in the software, their potential impact, andproposed mitigation updated at each phase of the software lifecycle Create a Plan for Software Aspects of Certification (PSAC) thatdescribes the reverse engineering strategy Provides the Certification Authorities an overview of the means of compliance andinsight into the planning aspects for delivery of the product17-Apr-02 2001 Wind River Systems, Inc.17
Software Development Process WindRiver Products comply with ISO requirements Not ISO 9000-3 (S/W Quality) compliant Therefore,adaptation are required to comply with DO-178Bobjectives17-Apr-02 2001 Wind River Systems, Inc.18
WindRiver DO-178B ProcessRequirementsDevelop Tests34Design2Code1Code existsRequirementsStandardwaterfall- requirementsbasedmodeltests re-engineered17-Apr-02 2001 Wind River Systems, Inc.Test19
TraceabilityReviewReviewReviewReviewReviewTest ResultsTest ProceduresSource CodeDesignRequirementsLinkage17-Apr-02 2001 Wind River Systems, Inc.20
Certification Material Plan for software aspects ofcertificationSoftware quality assurance planSoftware configuration managementplanSoftware development plan Software requirements standardsSoftware design standardsSoftware coding standardsSoftware verification planSoftware requirements specification17-Apr-02 Software design documentVersion description documentTraceability matrixSoftware development folder Design reviewsCode reviewsTest reviewsFunctional testsCoverage resultsTool qualification documentationSoftware accomplishment summary 2001 Wind River Systems, Inc.21
Target Audience and Products Peoplewho want to use a certifiable base to their project: People bidding on projects. People with existing VxWorks application evaluating if the application could becertified. People in search of a ‘safe’ kernelÎ Tornado for DO-178B Starter Kit Peopleengaging in the certification of applicationsÎ Tornado for DO-178B Certification17-Apr-02 2001 Wind River Systems, Inc.22
Product PackagingTornado for DO-178B Starter KitTornado for DO-178B xWorksVxWorksSource CodeFor VxWorks/Cert and testsCertificationCertification DocumentationRequired to certify an applicationDevelopmentVxWorks/CertVerification Tool / ResultsCoverage analysis tool and results17-Apr-02 2001 Wind River Systems, Inc.23
Development CycleDevelop, Debug,Tune1. DevelopApplicationSubset APIToolsTornado/CertVxWorksVerification,Code coverage2. Verify1001VxWorks/Cert3. Deploy17-Apr-02 2001 Wind River Systems, Inc.Certifiedapplication usingVxWorks/Cert24
Updated Project Facility17-Apr-02 2001 Wind River Systems, Inc.25
Software Components of a SystemSystemAda, C, CodeTarget SystemOperatingSystemUser CodeVxWorks/CertSystem cannot be certified unlessVxWorks is verified17-Apr-02 2001 Wind River Systems, Inc.26
Reusable Software Components (RSC)17-Apr-02RSC DeveloperWind RiverRSCVxWorks/CertIntegratorHoneywellProducte.g. FMSApplicantHoneywell or BoeingProduct or Planee.g. FMS, BoeingXFAA 2001 Wind River Systems, Inc.27
Reusable Software Component - Credit Applicant applies for Type Certificates for ProductApplicant supplies DO-178B materials for RSC Software Level (A, B, C, D) Identified Processor type Identified Compiler FAA provides letter to RSC developer which documentscertification creditEliminates / Reduces reverification on new project17-Apr-02 2001 Wind River Systems, Inc.28
SystemI.e Boeing 777Airbus A3xxLetter of intent to developA system or subsystem(TSO or TC/STC requirement)SubsystemI.e. Flight ManagementSystemProject Number AssignmentApplication DevelopmentCertification Material for: Application Software VxWorksReusable SoftwareComponentsI.e VxWorks17-Apr-02FAA or Certification AuthorityWindRiver in the Certification ProcessLetter ofapprovalCompany or FAA assignedDER Review 2001 Wind River Systems, Inc.29
17-Apr-02 2001 Wind River Systems, Inc.30
17-Apr-02 2001 Wind River Systems, Inc.31
17-Apr-02 2001 Wind River Systems, Inc.32
DO-178B: The Wind River Advantage Tornadofor DO-178B True COTS solution Leverage existing VxWorks expertise Benefit from Tornado and other Wind River tools for development Facilitate the testing for certification, thus resulting in better time to market andcost reduction Solution tailored to the needs of the application Starter kit Certification kit17-Apr-02 2001 Wind River Systems, Inc.33
FAA guidelines to Level A objectives as defined by DO-178B Requirements from RTCA/SC-182 (ACR MOPS) and ARINC 653 API of the subset to remain consistent with VxWorks Elimination of function compromising predictability and leading to memory fragmentation Elimination of function compromising a safety-critical application
